Just want a passthrough

BDFW
Just browsing

Just want a passthrough

Hi guys,

I'm trying to use a site to site VPN for the first time and can't seem to find the issue. I have two MX100s both of which have their Internet ports connected to a switch giving them an IP and access to the Internet. Then on their lan ports are either side of the Cisco switches I have plugged in. Upstream is a 3850 and downstream is a cat9300. when I connect these directly with static routing, IPs on the interfaces with no switchports they work fine and all subnets are available and routing. However when I insert the two MX devices in layer 2 passthrough mode the VPN comes up, but there is no connectivity between the 3850 and the 9300. On the 3850(upstream) side I have the local subnets as 0.0.0.0/0 which is a default route and on the 9300(downstream) side there are subnets setup for a /16 as well as the /30 point to point link. Both MX devices are configured as hubs and setup for passthrough or VPN concentrator. Anyone else run into this issue in this scenario?  

9 REPLIES 9
Adam
Kind of a big deal

Are you staging these by connecting them both to the same upstream switch/internet or will this be their permanent configuration?  What is your ultimate goal?  Any reason to just not have had one MX if they are both at the same site with whatever needed firewall restrictions?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
BDFW
Just browsing

They are at the same location for staging purposes only. The goal is to connect up a remote site over the Internet.

Adam
Kind of a big deal

We had issues doing this as well since the MX's need to be distinct public IP to allow the VPN tunnel to establish.  Otherwise, they are trying to establish a tunnel over the same circuit.  If you have another connection you can use for one of the MX setups it would make it easier.  Otherwise they need to have different public IPs assigned.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
BDFW
Just browsing

They did have different public IP addresses, but did use the same pipe. Will try at home, but is NAT an issue then?

Adam
Kind of a big deal

Are you NATing them to a public IP or do they have a true public IP assigned to their WAN interface?  But having one of them on a separate network connection should eliminate the issue altogether.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
BDFW
Just browsing

One is true public and the other is NATed. Will try issuing them both public IPs and see if that makes a difference.

Adam
Kind of a big deal

Sounds good, let me know how you make out. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
BDFW
Just browsing

It didn't seem to make a difference. I just want to have switch one look like it is directly connected to switch 2. This is what I'm looking to do:

MX-to-be-2.jpg

Currently (as a proof of concept) MX Remote is plugged into another router at the main site which then plugs into the Core for the Internet port. The Lan port then has the Cisco router 2 plugged into it. When I connect router 1 to router 2 directly they work fine. I've done this with both EIGRP as well as static routing. Still doesn't work through the MX architecture. 

Adam
Kind of a big deal

Definitely one of the more interesting topologies I've seen.  Are you using the Auto VPN feature between the MX's?  Can't remember if I asked that but that would connect the two as if they were local to each other regardless of what is in between.  That link from CiscoRouter 1 through Core to the top firewall gives me a little concern.  You have a potential routing loop there if you're not careful. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels